HG - Hacking from Above: A Brief Guide for Transitioning to Leadership - Joey Maresca

so what I try to create here on the second day is we really talked more about leadership and moving up into management because I think one of the reasons why we have such turnover in our industry is that we don't have people who are looking at long term career planning we don't talk about that enough we talk about the certs that you need but we don't talk about the thinking of moving to the next level and a lot of times we think that our manager at our job is going to have that responsibility or the recruiter who hired me is going to have that responsibility but they're not your career development and your career search is your responsibility but

we're not doing enough in the community to really talk about how do I have that 5 to 10 year view not so that you can answer that question during the interview but so that you can put the blocks in place so that you can support your career so I was really excited to see Joey's presentation submitted and without further ado lost knowledge thank you welcome everybody thank you for coming this morning we were still morning right yeah lost track of time this week so this is hacking from above and so the reason so quick background before against the reason I'm doing the talk so I've been in InfoSec for about 14 years now you know if done management leadership

for a large chunk of that I've also like left management roles because they like turned bad right and so I've had have learned a lot in that time of like what's what was good and what was bad about being in management and being in leadership positions and understanding the reasons why I left so right now currently work as a director of security for for data machines and that's kind of where I've been able to kind of take all my lessons learned and start to focus them more into into what I'm put what I've put into this talk so the reasons why kind of as I mentioned you know sharing my experiences letting people know what you know

what I've done and and what mistakes I made right because I think that's one of things that we often have a bad time like doing is like sharing mistakes like everybody's really like love sharing like their successes but nobody's really big on sharing like where they failed and insuring our failures and our mistakes you know we can help other people you know avoid repeating them so that was one of the reasons I think a lot of people in the community fear this path just in general right it's it's interesting because I feel like we spend a lot of time complaining about our managers don't know what it is we do or they're not technical enough but at the

same time there's not enough of us who want to go and do those jobs right so if we're not willing to go do the jobs of the people who are managing us then we're never gonna fix the problem the other reason I've talked about I like the idea is it's also easier to change corporate policy to change like ideas and the way thinking works the further up the food chain that you are when you're down here even if you had 20 people on a team who all said this is being done wrong and that gets translated to the manager if he doesn't have enough knowledge and skill to translate that up it just fails but if

you have somebody at that level who can make the same conversations and arguments it makes a big difference in the way things happen within a company so a couple quick slides I want to go through on kind of distinguishing between leaders leaders and managers right there's there's this you know you can if you search around online you'll find tons of people who will do discussions about all what's the manager what's a leader right so I've kind of compiled a couple differences in similarities right management managers in general it's all about you know trying to keep people on tasks keep budgets keep project schedules it does a lot of deals a lot with bureaucracy and managers will bet so the last bullet and

there it's honest it last me the bad manager paper when things go well and we'll blame off to everybody else when it goes bad right and so we um sure everybody's worked for those managers who were really great at stealing credit never passing it around and are great for passing around the blame and never taking it on themselves I've had the energy for who you know project will fail and they had as much equal part if not more of a part and the failure of the project but in the end they start pointing fingers of the people on the team who are like well they weren't doing this or they doing that and so you

know that's one of the distinguishes between leadership and management because leaders don't necessarily have to be managers right we all work with people on our teams now probably who can like direct the room and can lead the group but they aren't necessarily always your manager right managers you know learn to teach develop a motivate you know there's a ton of people around at this conference this weekend as a ton of people you're gonna run into in life who would qualify as leadership I tried to come up with a non sports ball reference but I really was having a hard time so that's why like we've got like the quarterback right like if you look at

like a football if you look at like any sport event right you're the none of the players are technically the manager right the coaches are the ones who are actually managing and directing trap and theory directing traffic but the leaders on the field are the players that grab the attention of everybody on the team and get them to move in a common direction right they can pick up a team who's down and and make them want to fight and go forward and so for me that's the big difference and it can be hard to balance the two like if you move into management right you're dealing with all the bureaucracy but it can be really hard sometimes to to balance that

with handling and and managing you know the people aspects of it to to to kind of keep things to moving so it's it's it's really hard it can be really hard to do so there are similarities right you know as kind of as I saying they're both kind of the people in charge you know if they may not always be the person in charge on paper particularly in the form of leadership but they're always the people that you know that people are going to and that are kind of directing tasks they both need to be capable of dealing with people in conflicts even the managers need to be able to do that just because they have to handle the HR side of

things right if two people can't get along they have to be able to deal with that level of you know of interaction whereas the lead the the leaders can can look at it as a more like organic situation where they're trying to motivate pee well trying to get people to work together and their their methods may be different than like a true like static managers methods and then the other thing is just both need to be able to understand the goals and visions of the team right you know they need to be able to delegate tasks to know who on the teams best at doing each function and so that's very important and they need to

be able to motivate people now these motivations may come in like different forms right so like for a leader they're gonna come up with more they're always gonna have some sort of positive means to to motivate the team not all managers will necessarily do that right and again people probably work for the management team that's like no you need to get this done by this date or you're gonna need to be looking you know you're gonna be out in your ass looking for a job right so it's it's it there's very much you know there are good managers they're not all evil right but you you need to be able to recognize you know the the differences between the

two so the question you know becomes what do you want to be right you know the one of the key takeaways here needs to be that like anyone can be a leader like it doesn't matter what your position is you know there's no some companies do have like leadership level titles right they'll have team lead roles where they're just technical leadership for a group and some organizations will saying they'll have like room room folds of senior engineers and just kind of expect them to work together at the direction of like a program manager or an actual like manager and I'll admit management work isn't for everybody it can be a very stressful situation given your

environment in the situation and what's going on it can be it can be a lot of work so my first management gig was when I was 29 years old and it was very tough you know I had a lot of lessons to learn and I was definitely not ready at that age to kind of be making the decisions and choices at that level and so it was a lot of that was probably my biggest learning experience was that you know learning the difference between what I needed where I needed to worry about my concerns and what my needs were and those of my team and that could be a very difficult choice to make when

you're dealing with a team and choices that you make don't just impact you and your well-being but impact everybody who's working with you it's also I mean it can be very rewarding if you do it right like don't get me wrong like it's it can be great like I enjoy the leadership side of it to help people develop and grow but it's you know it like I said not for everybody and if you want to you know if if you're somebody who's talked about or said oh well I can run an organization like doing leadership and management before as definitely like a must because if you haven't directed people and haven't dealt with those situations before trying to do it while

you're building a company is probably the worst time to actually have to be trying to both like you know capture you know profit and an income for your company and while trying to manage your people and resources and everything else so I want to try to jump into some of the skills you know that we kind of equate to both technical you know ability as well as you know just you know hackers and hacker culture and and how I think they translate so when the first ones creativity and problem-solving so I think this is like one of the kind of essential like hacker traits right like you know we try to you know hackers like to look at problems

and try to find new ways to solve them try to find a way to break systems that you know or functional and so you know there's there's plenty of situations where those skills can come in handy right I don't care how flush with cash organization you're working for is you're always going to be trying to do more work with fewer resources than you have working in large corporate systems is is its own beast too because they have their own policies and you get into these giant companies where you know there's like you know manuals for HR that you have to work within for doing hiring and management and how they do performance reviews and and so finding

ways to like work within and around those it can be can be a tricky aspect too and so it's it's it's kind of its own level of problem-solving so our technical skills a lot of these come down to you know you know as I've said leadership isn't always management right so you may still be in technical roles team leads are often still doing to end work they just may have less of it than the standard engineers and small organizations in particular your people always doing kind of a little bit of everything or ain't so the company I work for now they it's it's a small organization I am the security guy so I literally do

a little bit of everything that is security focus across different projects both our internal facing external so it's you know I have my hands and you know everything from policy to penetration testing to you know our network defense so it's kind of all over the board right I firmly believe leader technical leadership and technical managers have more respect from their teams right it's it's a lot easier to know that you know somebody's there defending your actions and defending what you do to people above you when they know the work you're doing they understand you know you're the same the goals the same way that the team does and you know and that also comes to

being able to translate that information right being able to you know explain to management why you need more money for new people why you need more money for new tools or training right I know a lot of people who go into organizations and the they have lots of fights to be able to send people to conferences or send people to training classes because nobody but nobody in management understands like the the requirements and the amount of skill sets and how things are constantly changing particularly in our field right so it kind of call this the social engineering or soft skill section all right and there's kind of two parts to it if you're in management there's a whole

side to having to deal with like upper management having to try to get them to sometimes especially if you're running into you know a brick wall you know having to find ways to get them to give you what you need and give you what you want and also being able to affect the changes that you want to see in policy right and that's when things I said near the beginning is you know I want to be able to have a situation where you know we can impact not just you know the team but also be able to impact cultures and create cultures where security is understood and respected while at the same time you know having tea having the

ability to to change things so like if they don't have training policies in place getting policies in place so the teams can have training and it's not just a budgetary line-item you have to fight for every year it's something that can be codified and that is known no matter what happens this is in policy you're going to have it and then you know working with team members right you need to be able to handle people within a team like I don't care how great a culture you have you're going to have conflict within a team it's always going to happen we are human in the end so you know you need to be able to to handle those conflicts people

are gonna have like situations in their home life that are gonna bleed into their work life being able to to work with them to keep them motivated to get them focused but also knowing when to be able to tell them you know you're going to have the guy on your team who's like oh well I'm never sick or I don't ever need to take vacation and they're gonna work work work and unless you like sit them down and and help them understand hey you can take a week off it's cool like we've got you know that we've got everything under control like you like if people don't take a break and relax you wind up like me enough and not even

40 and your hair is already open so it's you know it's people will stress themselves out and go themselves out and even at my current company we've got a couple of junior people are like oh no I don't keep giving me more more and really no like stop and slow down like you don't need to you don't need to burn yourself out trying to do more work than you're capable of doing so do all these things really add up you know a lot of it is you know a factor of everything that you have here but also you know what you've learned in life and in just overall maturity like I said when I had

my first management gig I wasn't ready for it at all and it took me some time to determine that that's what I really wanted to do and so before my current job I was doing consulting work and I wasn't the the manager but I was one of the senior members of the team as helping our junior engineers kind of get them trained up help them with their with their roles in their tasks and it and that's when I was really knew that that's kind of where I wanted to be and like that I was ready to be in leadership to be managing and and actually in that position again to help people come up you know it's anybody

who's worked in the sector and it's technical you know how much effort not only goes into like our daily jobs but even just keeping up with all the changes and everything else and so I want to be able to take all my experience and time and help new people come up and and do those things so that you know I can I can take a step back and not have to spend as much at that time trying to keep up with everything but help others kind of coming up and get them moving kind of in the right direction

so I know it seems like I got to closing really quickly but I also wanted to may have tons of time for questions so I hope you have them looks like so just kind of this is really the summary points if you like to have like notes and like want to like snap this or write it down I won't repeat to solve because this is pretty much everything I've been saying throughout the presentation right you know where these things can how these skills can impact you you your organization your teams your leads I think it's it's one of those things that a lot of people you know get lost with right is you know there's this there's a

lot of this the other reason you know that some of us wind up having to look at management or get forced into it is they'll cap out our technical roles right you get to a point where this is as far as you're ever gonna go and this is as much as we're ever gonna be able to pay you as much as you're ever gonna be able to do and if you want to make more or do more or go anywhere else you're gonna need to cook I'm a manager and this is particularly true at like a large organizations that are very project focused you know some organizations do have like advanced technical tracks but they're usually you

know very tech focused companies and those positions are like so few and far between you're you're almost never gonna find them you know available unless you've been working for companies for the last 20 years now I'm going to breathe because I did I did like I said I did run through that and I apologize but that's why I want lots of questions yes microphone yes so we all know how important the technical training is have you gone through or have any recommended leadership or management training courses you found useful so leadership and management trainings so all the ones I've ever done were both internal to organizations I worked at the time so I did one with

SCIC gosh I was almost like seven years ago and another one at a small Kahn training company I worked for about like four years after that and they were both good and they were focused very much you know government contracting space so they had like very like specific focuses I always tell people I kind of equate it to like if you go into like the lot like if you go into a bookstore and you go to like the leadership section a manual section you're gonna find like a thousand books and they're all gonna have different opinions on how to like to be a leader and a manager and I you can go and you can read those books and you may not

come out learning anything new like I really feel like I learned more from my life experiences than I did from from those courses what those courses were good for is learning the technical bits right you know learning how learning things that I probably wouldn't have learned without like having hands-on and that can be and nobody likes to give you the reins to like a large sum of cash if you don't know how to handle a large sum of cash so those are the situations where those trainings can come in handy so like if you're working in an organization and you want to move into management and they're like well we have this you know you'd be managing this

program that's worth like five million dollars you know you do you understand how you budget time and people and those are the skills that can be hard to learn and translate but they're still very they're still they're easy to grasp and pick up on it's just a matter of like getting the experience and I had a benefit it in the first management job that it was a small enough organization I could have time to absorb some of that end but those are the things I think are the most helpful to learn because in the end I don't know how much of the like leadership and like interpersonal stuff is actually like teachable and trainable right because that's so much of how like

a person functions and behaves that it can be like a tough trait to kind of like change and to try to like redirect so we talked about this on the podcast yes so again the opportunities within any type of volunteer organization is there I mean this does not this conference doesn't run for free you know we're talking several hundred thousand dollars so those leadership skills you you learn on them you learned them as you have experiences as you are interacting with different kinds of people I was on a board and there was somebody that he and I kept butting heads time and time again and I just sort of thought it was him until I

realized it was both of us and once I changed my behavior and became a better leader and listened rather than told him what to do we got long but you you find those opportunities in volunteering yeah no that's that's a very good point and like especially dealing with like person like with with personal like conflict and stuff like that it's a great way like so I volunteer here and a couple other conferences doing safety operations or some of the other councils call it security but you know the whole the concept is the same right you know keeping everyone happy and safe during a conference you learn a lot about de-escalation and interpersonal skills right because two people may have a

conflict with each other and it's only just like it was all about you know miscommunication right so you you learn a lot of those sort you can learn a lot of those skills through through the volunteering process yes so just a quick question you you touched on something that I think is sort of contradictory and not to throw you out here because I've heard it multiple times all over the place is to say that anyone can be a leader in an organization but then to also have a slide that says you have to jump take the jump to actual leadership to be able to effect real change so how do you speak to someone at

say the individual contributor level that is a leader within their their group or their team or whatever how do they interact with leadership at that level to be able to actually affect that change and then from the other side how is a leader do you make sure that you're listening to those individual contributors and using your authority in your position with the organization to make sure that that change actually gets affected right so that that's so I think the the easiest way and often what happens for that to come from like non management positions for like somebody to have that change is usually after the person who you'll usually have like a person who's a leader and within the

team who also has like that same respect from the management who listens and values that opinion right so I've worked in a situation where I had the organization worked at this is oh and the my boss had a long-standing relationship so anything he'd come to him with you know they've been working for multiple years across multiple companies they had that trust right and and so he had the ability you know he was also my manager but he also had the ability to influence up at to the scissor level because of those long-term relationships and a lot of it a lot of that is all about relationship building because you need somebody that the or because if you don't have somebody in

the management position who can do that you need somebody that has that level of trust and also has the ability to like they'll have the follow-on and knows that they can see the results and ultimately a lot of this all comes down to trust right and this is why a lot of people who leave organizations is because that trust gets violated or that trust or people don't feel that trust is there anymore and so you know it's it's at that point you kind of have to go and it's like you know it's time to move on and unfortunately like the it's some in some situations there's not gonna be an easy way to ever fix that because you

know and until change happens you know at the highest levels and that that can take you know decades in some cases if if everything's running smoothly people the top usually would prefer to stick with what they know is working and they're mine versus you know having some some big change I've worked for several organizations that have a bit of a hesitancy to promote ICS to managers choosing instead to look for people have management experience already do you have any suggestions to kind of break that catch-22 cycle so I think I think for organizations so this is one thing reasons why I think well nothing's as one reasons I know that SAIC when I worked there had their internal training

programs was because they knew they needed people who knew their government customer spaces and worked in those facilities but also needed to learn the skills to manage the projects manage the budgets and needed to also learn some of them sometimes needed the interpersonal skills so when you're doing government contracts you may have 20 people on a contract who never see each other again they're all in like different offices spread throughout and so you know I think I think the best argument for that is usually to is is kind of to show hey if we took these people and elevated our own people to this position you know you can show them where the the continuation

of growth is so it gives a gives people like a reason to stay right like if I'm in a job and no I'm never going to get promoted above my current position and I have that desire you know why am I gonna stick around if if you're gonna keep hiring outside managers so you they have to be willing to to make that commitment and and make that that change which and some organizations just aren't like I said this sometimes there's only so much we can do until you get somebody who's up there and it's it is like a catch-22 right it's like how do we get there if nobody's gonna let us in and sometimes

the trick is we have to find a place that lets us in so that you can then pivot to the other organization and make that change because now they're like oh he did that over here for you know X amount of time so he's got this experience will bring him in over here you know an example of this I've seen is like if you look at like job requirements for likes is OHS they all every job posting you're gonna see first says oh they want a person who's been ass is o for like 10 years I'm like well then where the heck is the firsts is oh coming from because I can't you can't have 10 years experience as ass is oh

and get a job as ass is oh that's not how it works right so like at some point somebody has to give somebody that chance to to see you know if they can do it and if they do and have success then yes they can move on and grow up to to bigger and better things but I think you know it's it's a problem that some organizations just can't get out of their head right I just had a point so related to the last question to demonstrate management skills volunteer at the organization's and then if you continue to not be promoted into management okay well then maybe it's time to look somewhere else right so

again I hope that we continue to have the discussions in here to help you guys think maybe outside the box a little bit because you don't want to get stuck at your organization if you were if you were doing the things like volunteering and other events to demonstrate you know whether it's management skills or whether you're trying to you know obtain you know other InfoSec skills outside of what you can do for your job right put that down on your resume to demonstrate to your current employer yeah right and I can't I can't agree more about the trust thing yeah sorry leadership is not necessarily management but keep in mind that management especially the lower

tiers can be a significant career risk just speaking as someone who knows a company that looked at the stats and said oh wait a minute we should be 80% engineers rather than the 50% we are there's a lot of staff that aren't engineers all of a sudden that are sweating so I want to thank Joey for his time it was a great talk I want to so let's give Joey a round of applause [Applause]